From 4233fef23895302a7f3e1e35628cbecef8a263f7 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 5 Sep 2023 15:22:01 -0300 Subject: [PATCH] [Security Content] Include "Data Source: Elastic Defend" tag (#3002) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus --- .../command_and_control_non_standard_ssh_port.toml | 2 +- ...ntial_access_cookies_chromium_browsers_debugging.toml | 2 +- .../defense_evasion_deleting_websvr_access_logs.toml | 2 +- ...se_evasion_deletion_of_bash_command_line_history.toml | 2 +- ...defense_evasion_elastic_agent_service_terminated.toml | 2 +- ...efense_evasion_masquerading_space_after_filename.toml | 2 +- .../cross-platform/defense_evasion_timestomp_touch.toml | 2 +- .../cross-platform/discovery_security_software_grep.toml | 2 +- .../discovery_virtual_machine_fingerprinting_grep.toml | 2 +- .../execution_pentest_eggshell_remote_admin_tool.toml | 2 +- .../execution_python_script_in_cmdline.toml | 2 +- .../execution_revershell_via_shell_cmd.toml | 2 +- .../execution_suspicious_jar_child_process.toml | 2 +- .../execution_suspicious_java_netcon_childproc.toml | 2 +- rules/cross-platform/impact_hosts_file_modified.toml | 2 +- ...e_credential_access_modify_auth_module_or_config.toml | 2 +- .../persistence_shell_profile_modification.toml | 2 +- .../persistence_ssh_authorized_keys_modification.toml | 2 +- .../privilege_escalation_echo_nopasswd_sudoers.toml | 2 +- ...ilege_escalation_setuid_setgid_bit_set_via_chmod.toml | 2 +- .../privilege_escalation_sudo_buffer_overflow.toml | 2 +- .../privilege_escalation_sudoers_file_mod.toml | 2 +- .../defense_evasion_azure_blob_permissions_modified.toml | 2 +- .../linux/command_and_control_linux_iodine_activity.toml | 8 +------- ...picious_network_activity_from_unknown_executable.toml | 2 +- .../command_and_control_tunneling_via_earthworm.toml | 2 +- .../credential_access_collection_sensitive_files.toml | 2 +- rules/linux/credential_access_credential_dumping.toml | 2 +- ..._access_potential_linux_local_account_bruteforce.toml | 2 +- .../linux/credential_access_proc_credential_dumping.toml | 2 +- rules/linux/credential_access_ssh_backdoor_log.toml | 2 +- ..._evasion_attempt_to_disable_iptables_or_firewall.toml | 2 +- ...efense_evasion_attempt_to_disable_syslog_service.toml | 2 +- ...n_base16_or_base32_encoding_or_decoding_activity.toml | 2 +- rules/linux/defense_evasion_chattr_immutable_file.toml | 2 +- rules/linux/defense_evasion_disable_selinux_attempt.toml | 2 +- .../defense_evasion_esxi_suspicious_timestomp_touch.toml | 2 +- rules/linux/defense_evasion_file_deletion_via_shred.toml | 2 +- rules/linux/defense_evasion_file_mod_writable_dir.toml | 2 +- rules/linux/defense_evasion_hidden_file_dir_tmp.toml | 2 +- rules/linux/defense_evasion_hidden_shared_object.toml | 2 +- rules/linux/defense_evasion_kernel_module_removal.toml | 2 +- ...vasion_ld_preload_env_variable_process_injection.toml | 9 +-------- rules/linux/defense_evasion_log_files_deleted.toml | 2 +- rules/linux/defense_evasion_mount_execution.toml | 2 +- .../linux/defense_evasion_potential_proot_exploits.toml | 2 +- rules/linux/defense_evasion_rename_esxi_files.toml | 2 +- rules/linux/defense_evasion_rename_esxi_index_file.toml | 2 +- rules/linux/discovery_esxi_software_via_find.toml | 2 +- rules/linux/discovery_esxi_software_via_grep.toml | 2 +- rules/linux/discovery_kernel_module_enumeration.toml | 2 +- rules/linux/discovery_linux_hping_activity.toml | 2 +- rules/linux/discovery_linux_nping_activity.toml | 2 +- .../discovery_sudo_allowed_command_enumeration.toml | 2 +- rules/linux/discovery_suid_sguid_enumeration.toml | 2 +- .../linux/discovery_virtual_machine_fingerprinting.toml | 2 +- ...file_transfer_or_listener_established_via_netcat.toml | 2 +- rules/linux/execution_perl_tty_shell.toml | 2 +- .../execution_process_started_from_process_id_file.toml | 2 +- ...ution_process_started_in_shared_memory_directory.toml | 2 +- rules/linux/execution_python_tty_shell.toml | 2 +- .../execution_remote_code_execution_via_postgresql.toml | 2 +- rules/linux/execution_shell_evasion_linux_binary.toml | 2 +- ...ion_shell_suspicious_parent_child_revshell_linux.toml | 2 +- rules/linux/execution_shell_via_java_revshell_linux.toml | 2 +- .../execution_shell_via_lolbin_interpreter_linux.toml | 2 +- rules/linux/execution_shell_via_suspicious_binary.toml | 2 +- .../linux/execution_shell_via_tcp_cli_utility_linux.toml | 2 +- ...tion_sus_extraction_or_decrompression_via_funzip.toml | 2 +- ...on_suspicious_executable_running_system_commands.toml | 2 +- ...cution_suspicious_mining_process_creation_events.toml | 2 +- rules/linux/execution_tc_bpf_filter.toml | 2 +- rules/linux/impact_data_encrypted_via_openssl.toml | 2 +- rules/linux/impact_esxi_process_kill.toml | 2 +- ...mpact_potential_linux_ransomware_file_encryption.toml | 2 +- .../impact_potential_linux_ransomware_note_detected.toml | 2 +- rules/linux/impact_process_kill_threshold.toml | 2 +- ...ateral_movement_telnet_network_activity_external.toml | 2 +- ...ateral_movement_telnet_network_activity_internal.toml | 2 +- rules/linux/persistence_chkconfig_service_add.toml | 2 +- ...ersistence_credential_access_modify_ssh_binaries.toml | 2 +- rules/linux/persistence_cron_job_creation.toml | 2 +- rules/linux/persistence_dynamic_linker_backup.toml | 2 +- rules/linux/persistence_etc_file_creation.toml | 2 +- rules/linux/persistence_init_d_file_creation.toml | 2 +- rules/linux/persistence_insmod_kernel_module_load.toml | 2 +- rules/linux/persistence_kde_autostart_modification.toml | 2 +- .../linux/persistence_linux_backdoor_user_creation.toml | 2 +- .../persistence_linux_shell_activity_via_web_server.toml | 2 +- ...persistence_linux_user_added_to_privileged_group.toml | 2 +- rules/linux/persistence_message_of_the_day_creation.toml | 2 +- .../linux/persistence_message_of_the_day_execution.toml | 2 +- rules/linux/persistence_rc_script_creation.toml | 2 +- rules/linux/persistence_shared_object_creation.toml | 2 +- .../persistence_systemd_scheduled_timer_created.toml | 2 +- rules/linux/persistence_systemd_service_creation.toml | 2 +- ...ge_escalation_chown_chmod_unauthorized_file_read.toml | 2 +- ...ilege_escalation_container_util_misconfiguration.toml | 2 +- ...vilege_escalation_ld_preload_shared_object_modif.toml | 2 +- ...vilege_escalation_linux_suspicious_symbolic_link.toml | 2 +- .../privilege_escalation_linux_uid_int_max_bug.toml | 2 +- ...e_escalation_load_and_unload_of_kernel_via_kexec.toml | 2 +- .../privilege_escalation_overlayfs_local_privesc.toml | 2 +- .../linux/privilege_escalation_pkexec_envar_hijack.toml | 2 +- ...vilege_escalation_potential_wildcard_shell_spawn.toml | 2 +- .../privilege_escalation_sda_disk_mount_non_root.toml | 2 +- rules/linux/privilege_escalation_shadow_file_read.toml | 2 +- rules/linux/privilege_escalation_sudo_hijacking.toml | 2 +- ...lege_escalation_sudo_token_via_process_injection.toml | 2 +- ...vilege_escalation_unshare_namespace_manipulation.toml | 2 +- .../privilege_escalation_writable_docker_socket.toml | 2 +- ...al_access_access_to_browser_credentials_procargs.toml | 2 +- rules/macos/credential_access_credentials_keychains.toml | 2 +- .../macos/credential_access_dumping_hashes_bi_cmds.toml | 2 +- .../credential_access_dumping_keychain_security.toml | 2 +- rules/macos/credential_access_kerberosdump_kcc.toml | 2 +- ...ntial_access_keychain_pwd_retrieval_security_cmd.toml | 2 +- .../macos/credential_access_mitm_localhost_webproxy.toml | 2 +- ...credential_access_potential_macos_ssh_bruteforce.toml | 2 +- .../credential_access_promt_for_pwd_via_osascript.toml | 2 +- rules/macos/credential_access_systemkey_dumping.toml | 2 +- .../defense_evasion_apple_softupdates_modification.toml | 2 +- .../defense_evasion_attempt_del_quarantine_attrib.toml | 2 +- .../defense_evasion_attempt_to_disable_gatekeeper.toml | 2 +- .../macos/defense_evasion_install_root_certificate.toml | 2 +- .../defense_evasion_modify_environment_launchctl.toml | 2 +- ...asion_privacy_controls_tcc_database_modification.toml | 2 +- ...lege_escalation_privacy_pref_sshd_fulldiskaccess.toml | 2 +- rules/macos/defense_evasion_safari_config_change.toml | 2 +- ...evasion_sandboxed_office_app_suspicious_zip_file.toml | 2 +- .../defense_evasion_tcc_bypass_mounted_apfs_access.toml | 2 +- .../defense_evasion_unload_endpointsecurity_kext.toml | 2 +- .../macos/discovery_users_domain_built_in_commands.toml | 2 +- ...n_defense_evasion_electron_app_childproc_node_js.toml | 2 +- ...tion_initial_access_suspicious_browser_childproc.toml | 2 +- ...xecution_installer_package_spawned_network_event.toml | 2 +- .../macos/execution_script_via_automator_workflows.toml | 2 +- ...tion_scripting_osascript_exec_followed_by_netcon.toml | 2 +- .../execution_shell_execution_via_apple_scripting.toml | 2 +- ...al_access_suspicious_mac_ms_office_child_process.toml | 2 +- ...vement_credential_access_kerberos_bifrostconsole.toml | 2 +- rules/macos/lateral_movement_mounting_smb_share.toml | 2 +- .../macos/lateral_movement_remote_ssh_login_enabled.toml | 2 +- rules/macos/lateral_movement_vpn_connection_attempt.toml | 2 +- .../persistence_account_creation_hide_at_logon.toml | 2 +- .../persistence_creation_change_launch_agents_file.toml | 2 +- ...persistence_creation_hidden_login_item_osascript.toml | 2 +- ...ersistence_creation_modif_launch_deamon_sequence.toml | 2 +- ..._credential_access_authorization_plugin_creation.toml | 2 +- rules/macos/persistence_crontab_creation.toml | 2 +- ...ion_hidden_launch_agent_deamon_logonitem_process.toml | 2 +- ...sistence_directory_services_plugins_modification.toml | 2 +- .../persistence_docker_shortcuts_plist_modification.toml | 2 +- rules/macos/persistence_emond_rules_file_creation.toml | 2 +- .../macos/persistence_emond_rules_process_execution.toml | 2 +- rules/macos/persistence_enable_root_account.toml | 2 +- ...ence_evasion_hidden_launch_agent_deamon_creation.toml | 2 +- .../macos/persistence_finder_sync_plugin_pluginkit.toml | 2 +- .../macos/persistence_folder_action_scripts_runtime.toml | 2 +- rules/macos/persistence_login_logout_hooks_defaults.toml | 2 +- .../persistence_loginwindow_plist_modification.toml | 2 +- ...stence_modification_sublime_app_plugin_or_script.toml | 2 +- rules/macos/persistence_periodic_tasks_file_mdofiy.toml | 2 +- ...ence_screensaver_engine_unexpected_child_process.toml | 2 +- .../persistence_screensaver_plist_file_modification.toml | 2 +- .../persistence_suspicious_calendar_modification.toml | 2 +- .../persistence_via_atom_init_file_modification.toml | 2 +- ...rivilege_escalation_applescript_with_admin_privs.toml | 2 +- ...rivilege_escalation_explicit_creds_via_scripting.toml | 2 +- ...ivilege_escalation_exploit_adobe_acrobat_updater.toml | 3 ++- .../privilege_escalation_local_user_added_to_admin.toml | 2 +- .../macos/privilege_escalation_root_crontab_filemod.toml | 2 +- .../collection_email_outlook_mailbox_via_com.toml | 2 +- .../collection_email_powershell_exchange_mailbox.toml | 2 +- rules/windows/collection_winrar_encryption.toml | 2 +- rules/windows/command_and_control_certreq_postdata.toml | 2 +- .../command_and_control_certutil_network_connection.toml | 2 +- .../windows/command_and_control_common_webservices.toml | 2 +- .../command_and_control_dns_tunneling_nslookup.toml | 1 + ...ommand_and_control_encrypted_channel_freesslcert.toml | 2 +- rules/windows/command_and_control_iexplore_via_com.toml | 2 +- .../command_and_control_ingress_transfer_bits.toml | 2 +- ..._control_new_terms_commonly_abused_rat_execution.toml | 2 +- ...mmand_and_control_port_forwarding_added_registry.toml | 1 + rules/windows/command_and_control_rdp_tunnel_plink.toml | 1 + ...d_and_control_remote_file_copy_desktopimgdownldr.toml | 1 + .../command_and_control_remote_file_copy_mpcmdrun.toml | 1 + .../command_and_control_remote_file_copy_powershell.toml | 2 +- .../command_and_control_remote_file_copy_scripts.toml | 2 +- ...ommand_and_control_sunburst_c2_activity_detected.toml | 2 +- .../command_and_control_teamviewer_remote_file_copy.toml | 1 + rules/windows/credential_access_cmdline_dump_tool.toml | 1 + ...dential_access_copy_ntds_sam_volshadowcp_cmdline.toml | 2 +- .../credential_access_credential_dumping_msbuild.toml | 2 +- ...edential_access_domain_backup_dpapi_private_keys.toml | 2 +- rules/windows/credential_access_dump_registry_hives.toml | 1 + rules/windows/credential_access_generic_localdumps.toml | 2 +- .../credential_access_iis_apppoolsa_pwd_appcmd.toml | 2 +- .../credential_access_iis_connectionstrings_dumping.toml | 2 +- .../credential_access_kerberoasting_unusual_process.toml | 2 +- .../windows/credential_access_lsass_loaded_susp_dll.toml | 2 +- .../credential_access_lsass_memdump_file_created.toml | 1 + .../windows/credential_access_lsass_openprocess_api.toml | 2 +- .../credential_access_mimikatz_memssp_default_logs.toml | 1 + .../credential_access_mod_wdigest_security_provider.toml | 1 + .../credential_access_moving_registry_hive_via_smb.toml | 1 + ..._persistence_network_logon_provider_modification.toml | 2 +- ...edential_access_relay_ntlm_auth_via_http_spoolss.toml | 2 +- .../credential_access_remote_sam_secretsdump.toml | 1 + .../windows/credential_access_saved_creds_vaultcmd.toml | 2 +- ...tial_access_symbolic_link_to_shadow_copy_created.toml | 1 + .../credential_access_wireless_creds_dumping.toml | 1 + ...ing_the_hidden_file_attribute_with_via_attribexe.toml | 2 +- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml | 1 + rules/windows/defense_evasion_amsienable_key_mod.toml | 1 + ...defense_evasion_clearing_windows_console_history.toml | 1 + .../defense_evasion_clearing_windows_event_logs.toml | 1 + ...n_code_signing_policy_modification_builtin_tools.toml | 3 ++- ...vasion_code_signing_policy_modification_registry.toml | 3 ++- .../defense_evasion_create_mod_root_certificate.toml | 1 + .../defense_evasion_defender_disabled_via_registry.toml | 1 + ...efense_evasion_defender_exclusion_via_powershell.toml | 1 + ...se_evasion_delete_volume_usn_journal_with_fsutil.toml | 2 +- .../defense_evasion_disable_posh_scriptblocklogging.toml | 1 + ...vasion_disable_windows_firewall_rules_with_netsh.toml | 1 + ...se_evasion_disabling_windows_defender_powershell.toml | 1 + .../windows/defense_evasion_disabling_windows_logs.toml | 1 + .../windows/defense_evasion_dns_over_https_enabled.toml | 2 +- .../defense_evasion_dotnet_compiler_parent_process.toml | 2 +- .../defense_evasion_enable_inbound_rdp_with_netsh.toml | 1 + ...ense_evasion_enable_network_discovery_with_netsh.toml | 1 + ..._evasion_execution_control_panel_suspicious_args.toml | 2 +- .../defense_evasion_execution_lolbas_wuauclt.toml | 2 +- ..._evasion_execution_msbuild_started_by_office_app.toml | 1 + ...ense_evasion_execution_msbuild_started_by_script.toml | 2 +- ...sion_execution_msbuild_started_by_system_process.toml | 2 +- ...efense_evasion_execution_msbuild_started_renamed.toml | 1 + ...evasion_execution_msbuild_started_unusal_process.toml | 2 +- ...se_evasion_execution_suspicious_explorer_winword.toml | 2 +- ...defense_evasion_execution_windefend_unusual_path.toml | 2 +- .../defense_evasion_file_creation_mult_extension.toml | 2 +- .../windows/defense_evasion_from_unusual_directory.toml | 2 +- ...defense_evasion_hide_encoded_executable_registry.toml | 2 +- .../defense_evasion_iis_httplogging_disabled.toml | 2 +- rules/windows/defense_evasion_installutil_beacon.toml | 2 +- ...evasion_masquerading_as_elastic_endpoint_process.toml | 2 +- .../defense_evasion_masquerading_renamed_autoit.toml | 1 + ...asion_masquerading_suspicious_werfault_childproc.toml | 2 +- .../defense_evasion_masquerading_trusted_directory.toml | 2 +- rules/windows/defense_evasion_masquerading_werfault.toml | 2 +- .../defense_evasion_microsoft_defender_tampering.toml | 2 +- ...e_evasion_misc_lolbin_connecting_to_the_internet.toml | 2 +- .../windows/defense_evasion_msbuild_beacon_sequence.toml | 2 +- ...fense_evasion_msbuild_making_network_connections.toml | 2 +- rules/windows/defense_evasion_mshta_beacon.toml | 2 +- rules/windows/defense_evasion_msxsl_beacon.toml | 2 +- rules/windows/defense_evasion_msxsl_network.toml | 2 +- ...e_evasion_network_connection_from_windows_binary.toml | 2 +- .../defense_evasion_parent_process_pid_spoofing.toml | 2 +- ...se_evasion_persistence_account_tokenfilterpolicy.toml | 1 + .../defense_evasion_potential_processherpaderping.toml | 2 +- ...nse_evasion_powershell_windows_firewall_disabled.toml | 1 + ...evasion_process_termination_followed_by_deletion.toml | 2 +- .../defense_evasion_proxy_execution_via_msdt.toml | 2 +- rules/windows/defense_evasion_rundll32_no_arguments.toml | 2 +- ...efense_evasion_scheduledjobs_at_protocol_enabled.toml | 2 +- .../defense_evasion_sdelete_like_filename_rename.toml | 2 +- rules/windows/defense_evasion_sip_provider_mod.toml | 2 +- ...olarwinds_backdoor_service_disabled_via_registry.toml | 2 +- .../defense_evasion_suspicious_certutil_commands.toml | 2 +- ...evasion_suspicious_execution_from_mounted_device.toml | 2 +- ...ense_evasion_suspicious_managedcode_host_process.toml | 2 +- .../windows/defense_evasion_suspicious_scrobj_load.toml | 2 +- .../defense_evasion_suspicious_short_program_name.toml | 2 +- rules/windows/defense_evasion_suspicious_wmi_script.toml | 2 +- .../defense_evasion_suspicious_zoom_child_process.toml | 2 +- ...sion_system_critical_proc_abnormal_file_activity.toml | 1 + ...defense_evasion_unsigned_dll_loaded_from_suspdir.toml | 2 +- .../windows/defense_evasion_untrusted_driver_loaded.toml | 2 +- .../defense_evasion_unusual_ads_file_creation.toml | 2 +- rules/windows/defense_evasion_unusual_dir_ads.toml | 2 +- ...e_evasion_unusual_network_connection_via_dllhost.toml | 2 +- ..._evasion_unusual_network_connection_via_rundll32.toml | 2 +- ...fense_evasion_unusual_process_network_connection.toml | 2 +- .../defense_evasion_unusual_system_vp_child_program.toml | 2 +- rules/windows/defense_evasion_via_filter_manager.toml | 2 +- rules/windows/defense_evasion_wsl_bash_exec.toml | 2 +- rules/windows/defense_evasion_wsl_child_process.toml | 2 +- rules/windows/defense_evasion_wsl_enabled_via_dism.toml | 2 +- rules/windows/defense_evasion_wsl_filesystem.toml | 2 +- rules/windows/defense_evasion_wsl_kalilinux.toml | 2 +- .../defense_evasion_wsl_registry_modification.toml | 2 +- rules/windows/discovery_adfind_command_activity.toml | 2 +- rules/windows/discovery_admin_recon.toml | 2 +- rules/windows/discovery_command_system_account.toml | 2 +- .../discovery_enumerating_domain_trusts_via_dsquery.toml | 2 +- .../discovery_enumerating_domain_trusts_via_nltest.toml | 2 +- .../windows/discovery_files_dir_systeminfo_via_cmd.toml | 2 +- .../windows/discovery_group_policy_object_discovery.toml | 2 +- rules/windows/discovery_net_view.toml | 2 +- rules/windows/discovery_peripheral_device.toml | 2 +- .../discovery_post_exploitation_external_ip_lookup.toml | 2 +- ...scovery_remote_system_discovery_commands_windows.toml | 2 +- rules/windows/discovery_security_software_wmic.toml | 2 +- rules/windows/discovery_system_service_discovery.toml | 2 +- rules/windows/discovery_system_time_discovery.toml | 2 +- rules/windows/discovery_whoami_command_activity.toml | 2 +- ...ion_apt_solarwinds_backdoor_child_cmd_powershell.toml | 2 +- ..._apt_solarwinds_backdoor_unusual_child_processes.toml | 2 +- rules/windows/execution_com_object_xwizard.toml | 2 +- ...cution_command_prompt_connecting_to_the_internet.toml | 2 +- .../execution_command_shell_started_by_svchost.toml | 2 +- ...ecution_command_shell_started_by_unusual_process.toml | 2 +- rules/windows/execution_command_shell_via_rundll32.toml | 2 +- rules/windows/execution_downloaded_shortcut_files.toml | 2 +- rules/windows/execution_downloaded_url_file.toml | 2 +- rules/windows/execution_enumeration_via_wmiprvse.toml | 2 +- rules/windows/execution_from_unusual_path_cmdline.toml | 1 + ...lp_executable_program_connecting_to_the_internet.toml | 2 +- rules/windows/execution_ms_office_written_file.toml | 2 +- rules/windows/execution_pdf_written_file.toml | 2 +- .../execution_psexec_lateral_movement_command.toml | 2 +- ...gister_server_program_connecting_to_the_internet.toml | 2 +- .../execution_scheduled_task_powershell_source.toml | 2 +- .../windows/execution_shared_modules_local_sxs_dll.toml | 2 +- rules/windows/execution_suspicious_cmd_wmi.toml | 2 +- .../execution_suspicious_image_load_wmi_ms_office.toml | 2 +- rules/windows/execution_suspicious_pdf_reader.toml | 2 +- .../windows/execution_suspicious_powershell_imgload.toml | 2 +- rules/windows/execution_suspicious_psexesvc.toml | 2 +- rules/windows/execution_via_compiled_html_file.toml | 2 +- rules/windows/execution_via_hidden_shell_conhost.toml | 2 +- rules/windows/impact_backup_file_deletion.toml | 2 +- .../impact_deleting_backup_catalogs_with_wbadmin.toml | 2 +- rules/windows/impact_modification_of_boot_config.toml | 2 +- rules/windows/impact_stop_process_service_threshold.toml | 2 +- ...ume_shadow_copy_deletion_or_resized_via_vssadmin.toml | 2 +- ...mpact_volume_shadow_copy_deletion_via_powershell.toml | 2 +- .../impact_volume_shadow_copy_deletion_via_wmic.toml | 2 +- ...tial_access_evasion_suspicious_htm_file_creation.toml | 2 +- .../initial_access_execution_via_office_addins.toml | 2 +- .../initial_access_exfiltration_first_time_seen_usb.toml | 2 +- .../initial_access_script_executing_powershell.toml | 2 +- .../initial_access_scripts_process_started_via_wmi.toml | 2 +- .../initial_access_suspicious_ms_exchange_files.toml | 2 +- .../initial_access_suspicious_ms_exchange_process.toml | 2 +- ...cess_suspicious_ms_exchange_worker_child_process.toml | 2 +- ...nitial_access_suspicious_ms_office_child_process.toml | 2 +- ...itial_access_suspicious_ms_outlook_child_process.toml | 2 +- .../initial_access_unusual_dns_service_children.toml | 2 +- .../initial_access_unusual_dns_service_file_writes.toml | 2 +- ...access_via_explorer_suspicious_child_parent_args.toml | 2 +- rules/windows/lateral_movement_cmd_service.toml | 2 +- rules/windows/lateral_movement_dcom_hta.toml | 2 +- rules/windows/lateral_movement_dcom_mmc20.toml | 2 +- ...ral_movement_dcom_shellwindow_shellbrowserwindow.toml | 2 +- ...ense_evasion_lanman_nullsessionpipe_modification.toml | 2 +- .../lateral_movement_direct_outbound_smb_connection.toml | 2 +- .../windows/lateral_movement_evasion_rdp_shadowing.toml | 2 +- .../lateral_movement_executable_tool_transfer_smb.toml | 2 +- .../lateral_movement_execution_from_tsclient_mup.toml | 2 +- ...eral_movement_execution_via_file_shares_sequence.toml | 2 +- .../lateral_movement_incoming_winrm_shell_execution.toml | 2 +- rules/windows/lateral_movement_incoming_wmi.toml | 2 +- ...ateral_movement_mount_hidden_or_webdav_share_net.toml | 2 +- .../lateral_movement_powershell_remoting_target.toml | 2 +- rules/windows/lateral_movement_rdp_enabled_registry.toml | 2 +- rules/windows/lateral_movement_rdp_sharprdp_target.toml | 2 +- .../lateral_movement_remote_file_copy_hidden_share.toml | 2 +- rules/windows/lateral_movement_remote_services.toml | 2 +- .../windows/lateral_movement_scheduled_task_target.toml | 2 +- ...lateral_movement_suspicious_rdp_client_imageload.toml | 2 +- .../lateral_movement_via_startup_folder_rdp_smb.toml | 2 +- rules/windows/persistence_adobe_hijack_persistence.toml | 2 +- rules/windows/persistence_app_compat_shim.toml | 2 +- rules/windows/persistence_appcertdlls_registry.toml | 2 +- rules/windows/persistence_appinitdlls_registry.toml | 2 +- rules/windows/persistence_driver_newterm_imphash.toml | 2 +- ...ersistence_evasion_hidden_local_account_creation.toml | 2 +- .../persistence_evasion_registry_ifeo_injection.toml | 2 +- ...e_evasion_registry_startup_shell_folder_modified.toml | 2 +- .../persistence_gpo_schtask_service_creation.toml | 2 +- .../persistence_local_scheduled_job_creation.toml | 2 +- .../persistence_local_scheduled_task_creation.toml | 2 +- .../persistence_local_scheduled_task_scripting.toml | 2 +- rules/windows/persistence_ms_office_addins_file.toml | 2 +- rules/windows/persistence_ms_outlook_vba_template.toml | 2 +- ...ce_powershell_exch_mailbox_activesync_add_device.toml | 2 +- rules/windows/persistence_powershell_profiles.toml | 2 +- ...tence_priv_escalation_via_accessibility_features.toml | 2 +- rules/windows/persistence_registry_uncommon.toml | 2 +- rules/windows/persistence_run_key_and_startup_broad.toml | 2 +- .../persistence_runtime_run_key_startup_susp_procs.toml | 2 +- rules/windows/persistence_service_dll_unsigned.toml | 2 +- rules/windows/persistence_services_registry.toml | 2 +- ...tartup_folder_file_written_by_suspicious_process.toml | 2 +- ..._startup_folder_file_written_by_unsigned_process.toml | 2 +- rules/windows/persistence_startup_folder_scripts.toml | 2 +- .../persistence_suspicious_com_hijack_registry.toml | 2 +- ...e_suspicious_image_load_scheduled_task_ms_office.toml | 2 +- .../persistence_suspicious_scheduled_task_runtime.toml | 2 +- .../persistence_suspicious_service_created_registry.toml | 2 +- .../windows/persistence_system_shells_via_services.toml | 2 +- rules/windows/persistence_time_provider_mod.toml | 2 +- rules/windows/persistence_user_account_creation.toml | 2 +- rules/windows/persistence_via_application_shimming.toml | 2 +- .../windows/persistence_via_bits_job_notify_command.toml | 2 +- .../persistence_via_hidden_run_key_valuename.toml | 2 +- ...tence_via_lsa_security_support_provider_registry.toml | 2 +- ...nce_via_telemetrycontroller_scheduledtask_hijack.toml | 2 +- ...rsistence_via_update_orchestrator_service_hijack.toml | 2 +- ...ws_management_instrumentation_event_subscription.toml | 2 +- .../persistence_via_wmi_stdregprov_run_services.toml | 2 +- ...rsistence_via_xp_cmdshell_mssql_stored_procedure.toml | 2 +- rules/windows/persistence_webshell_detection.toml | 2 +- .../privilege_escalation_disable_uac_registry.toml | 2 +- .../windows/privilege_escalation_installertakeover.toml | 2 +- rules/windows/privilege_escalation_lsa_auth_package.toml | 2 +- .../privilege_escalation_named_pipe_impersonation.toml | 1 + .../privilege_escalation_persistence_phantom_dll.toml | 3 ++- ...ege_escalation_port_monitor_print_pocessor_abuse.toml | 2 +- ...ilege_escalation_printspooler_registry_copyfiles.toml | 2 +- ..._escalation_printspooler_service_suspicious_file.toml | 2 +- ...escalation_printspooler_suspicious_file_deletion.toml | 2 +- ...lege_escalation_printspooler_suspicious_spl_file.toml | 2 +- ...rivilege_escalation_rogue_windir_environment_var.toml | 2 +- ...ge_escalation_service_control_spawned_script_int.toml | 2 +- .../privilege_escalation_uac_bypass_com_clipup.toml | 2 +- .../privilege_escalation_uac_bypass_com_ieinstal.toml | 2 +- ...e_escalation_uac_bypass_com_interface_icmluautil.toml | 2 +- ...ivilege_escalation_uac_bypass_diskcleanup_hijack.toml | 2 +- .../privilege_escalation_uac_bypass_dll_sideloading.toml | 2 +- .../privilege_escalation_uac_bypass_event_viewer.toml | 2 +- .../privilege_escalation_uac_bypass_mock_windir.toml | 2 +- ...privilege_escalation_uac_bypass_winfw_mmc_hijack.toml | 2 +- rules/windows/privilege_escalation_uac_sdclt.toml | 2 +- ...lege_escalation_unusual_parentchild_relationship.toml | 2 +- ...ege_escalation_unusual_printspooler_childprocess.toml | 2 +- ...e_escalation_unusual_svchost_childproc_childless.toml | 2 +- .../windows/privilege_escalation_via_ppid_spoofing.toml | 2 +- rules/windows/privilege_escalation_via_token_theft.toml | 2 +- .../windows/privilege_escalation_wpad_exploitation.toml | 2 +- .../collection_linux_suspicious_clipboard_activity.toml | 2 +- .../command_and_control_non_standard_http_port.toml | 2 +- ...nse_evasion_creation_of_hidden_files_directories.toml | 2 +- rules_building_block/defense_evasion_dll_hijack.toml | 8 ++++---- .../defense_evasion_file_permission_modification.toml | 2 +- .../defense_evasion_generic_deletion.toml | 2 +- .../defense_evasion_masquerading_communication_apps.toml | 2 +- .../defense_evasion_processes_with_trailing_spaces.toml | 4 ++-- .../discovery_generic_account_groups.toml | 2 +- .../discovery_generic_process_discovery.toml | 2 +- .../discovery_generic_registry_query.toml | 2 +- rules_building_block/discovery_hosts_file_access.toml | 2 +- .../discovery_internet_capabilities.toml | 2 +- .../discovery_linux_system_information_discovery.toml | 2 +- .../discovery_linux_system_owner_user_discovery.toml | 2 +- ...iscovery_of_accounts_or_groups_via_builtin_tools.toml | 2 +- rules_building_block/discovery_of_domain_groups.toml | 2 +- .../discovery_process_discovery_via_builtin_tools.toml | 2 +- .../discovery_system_network_connections.toml | 2 +- .../discovery_win_network_connections.toml | 2 +- .../discovery_windows_system_information_discovery.toml | 2 +- .../execution_unsigned_service_executable.toml | 2 +- .../persistence_creation_of_kernel_module.toml | 2 +- ...ersistence_suspicious_file_opened_through_editor.toml | 2 +- .../privilege_escalation_expired_driver_loaded.toml | 2 +- .../privilege_escalation_trap_execution.toml | 2 +- .../privilege_escalation_unquoted_service_path.toml | 2 +- tests/test_all_rules.py | 2 +- 470 files changed, 478 insertions(+), 451 deletions(-) diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index 279ac6ac6..9ab2adb5f 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -30,7 +30,7 @@ references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 914c8924b..5c3412363 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index d92aa479d..9c8e3f776 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index ee9dcebb2..89b2d8552 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 49a518262..e1e835acc 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -26,7 +26,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index c9028b0fc..eb6c35024 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index 2eb32d1ce..b0069f9a4 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 5faa2f209..902e64eb4 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -55,7 +55,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 403dc2fa6..240ed694d 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -32,7 +32,7 @@ references = ["https://objective-see.com/blog/blog_0x4F.html"] risk_score = 47 rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index 63059c620..f8a9ba363 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -18,7 +18,7 @@ references = ["https://github.com/neoneggplant/EggShell"] risk_score = 73 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index e273d34fb..197752e72 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 0b9250763..191145340 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -58,7 +58,7 @@ references = [ risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 2e55072bc..e0cdafbb3 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -60,7 +60,7 @@ references = [ risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 2b0923ea2..bd2f01694 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 4b0de5692..033920b2e 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -60,7 +60,7 @@ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat risk_score = 47 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index de6f80900..31f1f7479 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 080abf479..0cb0b70d9 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -24,7 +24,7 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 32a8f060f..b6e6fbf20 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -20,7 +20,7 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index c4e819338..7996a3987 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -20,7 +20,7 @@ name = "Potential Privilege Escalation via Sudoers File Modification" risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 9d95a1ecc..7a9979f25 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -24,7 +24,7 @@ name = "Setuid / Setgid Bit Set via chmod" risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 05f12f10b..086f187b7 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -33,7 +33,7 @@ references = [ risk_score = 73 rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "threshold" query = ''' diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 6caf8f54c..36967a399 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -20,7 +20,7 @@ name = "Sudoers File Modification" risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 2811fd302..45331762b 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index 14370203f..871926ebc 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -28,13 +28,7 @@ references = ["https://code.kryo.se/iodine/"] risk_score = 73 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2" severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Endgame", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 0df4316f2..1cce40900 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -23,7 +23,7 @@ name = "Suspicious Network Activity to the Internet by Previously Unknown Execut risk_score = 21 rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 42fc8d341..a13802a47 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 7b2fa8982..3a443d1c5 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 1f312acce..61cd91c34 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" severity = "medium" -tags = ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index 7a7c86e38..1f1ecf4d2 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -21,7 +21,7 @@ name = "Potential Linux Local Account Brute Force Detected" risk_score = 47 rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.parent.executable, user.id with maxspan=1s diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 251136b6b..6cea68f70 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by process.parent.name,host.name with maxspan=1m diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 46b550960..c7d1cf2eb 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 0d8ca0ff8..b63cb750d 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -20,7 +20,7 @@ name = "Attempt to Disable IPTables or Firewall" risk_score = 21 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index a4228f87e..38099dc7d 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -20,7 +20,7 @@ name = "Attempt to Disable Syslog Service" risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index c73b72719..b2c598330 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -23,7 +23,7 @@ name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index cbd550eb8..bd1ba550a 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -27,7 +27,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 08ca49ce6..2e63d67c3 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -21,7 +21,7 @@ name = "Potential Disabling of SELinux" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index 6fbc4e818..fb836c5a3 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "30bfddd7-2954-4c9d-bbc6-19a99ca47e23" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index d41d06402..58e8df6f5 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -21,7 +21,7 @@ name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 49a63a769..92f58b926 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -26,7 +26,7 @@ name = "File Permission Modification in Writable Directory" risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 18b73e23f..954a9ebcf 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -32,7 +32,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 4e3d12efb..28e1f61a5 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -26,7 +26,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index c6e6d0744..bb6b41ce3 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -28,7 +28,7 @@ references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 47 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml b/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml index 858e61c72..3771c896f 100644 --- a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml +++ b/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml @@ -38,14 +38,7 @@ references = ["https://www.getambassador.io/resources/code-injection-on-linux-an risk_score = 21 rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0" severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Persistence", - "Tactic: Privilege Escalation", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 45e4b0aaf..11b7082b3 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 2e7bfe433..18d005f07 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 99a98babe..ed827eebb 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 0ad3a98fa..03fd982a3 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "97db8b42-69d8-4bf3-9fd4-c69a1d895d68" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index 57f139d27..d71c8b051 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index 40a714acd..64ebdb855 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index f7f0f9663..309468451 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 4c8e1a74a..863c343d2 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -27,7 +27,7 @@ name = "Enumeration of Kernel Modules" risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" query = ''' diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 2f71ae875..c28247d52 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 47 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 88a59b40a..4b58715db 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 139b052ec..f3f6dbc7a 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -21,7 +21,7 @@ name = "Sudo Command Enumeration Detected" risk_score = 21 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 0590ae316..3603a08b8 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -23,7 +23,7 @@ name = "SUID/SGUID Enumeration Detected" risk_score = 21 rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index dbe7bd059..6933b4667 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -27,7 +27,7 @@ name = "Virtual Machine Fingerprinting" risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 3dd357b84..a42656946 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -74,7 +74,7 @@ references = [ risk_score = 47 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 5091182e4..5ba37257c 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -20,7 +20,7 @@ name = "Interactive Terminal Spawned via Perl" risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 87a66270d..d5c18644d 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -41,7 +41,7 @@ references = [ risk_score = 73 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 471b8cdc0..097216c02 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -33,7 +33,7 @@ references = [ risk_score = 73 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 6f914f6ae..9e121608a 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -21,7 +21,7 @@ risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" severity = "high" timestamp_override = "event.ingested" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 1add706fc..53c2fbe20 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -23,7 +23,7 @@ name = "Potential Code Execution via Postgresql" risk_score = 47 rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 93d77cb93..d88e2665e 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -97,7 +97,7 @@ references = [ risk_score = 47 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml index 7d7768837..7bc39e984 100644 --- a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml +++ b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index 9614acd3e..e2b712f00 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id with maxspan=5s diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 4eb788396..a865fa968 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 59aad9088..1c7eb1c65 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 701afc86b..eab506658 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id with maxspan=1s diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index c58686034..ad404d299 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index ca8469571..4d11a35ee 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -23,7 +23,7 @@ name = "Suspicious System Commands Executed by Previously Unknown Executable" risk_score = 21 rule_id = "e9001ee6-2d00-4d2f-849e-b8b1fb05234c" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 6f90d8dcd..a651d2da4 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -20,7 +20,7 @@ name = "Suspicious Mining Process Creation Event" risk_score = 47 rule_id = "e2258f48-ba75-4248-951b-7c885edf18c2" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 4cca91fc3..d46111522 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -23,7 +23,7 @@ references = [ risk_score = 73 rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index bed7ab281..a6641e809 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, user.name, process.parent.entity_id with maxspan=5s diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index ef74a0d0e..325a72c3b 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 7684e471a..09410f397 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -22,7 +22,7 @@ name = "Suspicious File Changes Activity Detected" risk_score = 47 rule_id = "28738f9f-7427-4d23-bc69-756708b5f624" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index d9e4f7fd6..41b96c8ba 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -23,7 +23,7 @@ name = "Potential Linux Ransomware Note Creation Detected" risk_score = 47 rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 1bce29dd2..b701c3811 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -50,7 +50,7 @@ This rule identifies a high number (10) of process terminations via pkill from t risk_score = 47 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "threshold" query = ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 720ed8c60..a6782b38d 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index c8361bfa2..7a0013db0 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 69d83bb09..089047488 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 003408789..8bde827f9 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -24,7 +24,7 @@ references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusi risk_score = 47 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 25060c71c..9469bb82f 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 9361da221..b93d744a2 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -22,7 +22,7 @@ references = [ risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 5076f21d3..abf97ec46 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 28f0aa8c2..8e093be8f 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -127,7 +127,7 @@ references = [ risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" query = ''' diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index dc8d1178c..e6a6886b1 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index e6bafa17e..980170104 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 32f280f10..a635f2355 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -88,7 +88,7 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0 risk_score = 47 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index fa4df3ba2..7c3f8b18a 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -105,7 +105,7 @@ references = [ risk_score = 73 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 8d1befe1d..69f741e83 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -83,7 +83,7 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign risk_score = 47 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 1aa9ecf08..8b737aaab 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -121,7 +121,7 @@ references = [ risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "new_terms" query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index abe18dc01..34185a085 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -120,7 +120,7 @@ references = [ risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 7dd978579..8ef5e71f9 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -106,7 +106,7 @@ references = [ risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "new_terms" query = ''' host.os.type : "linux" and event.category : "file" and diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index ef6a71725..d2534e2c2 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -25,7 +25,7 @@ references = ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"] risk_score = 47 rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 9591ef154..c60d89c5e 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -135,7 +135,7 @@ references = [ risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" query = ''' diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index b8abfebe4..577ac3ae4 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 90d70f15d..343599b13 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -23,7 +23,7 @@ references = ["https://www.exploit-db.com/papers/33930"] risk_score = 21 rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index b6987ec8e..2a8d2eeeb 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -41,7 +41,7 @@ references = [ risk_score = 47 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 200fe3b6a..cf2dbe27f 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 2cb3742af..f4eede9ed 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -23,7 +23,7 @@ name = "Suspicious Symbolic Link Created" risk_score = 21 rule_id = "8a024633-c444-45c0-a4fe-78128d8c1ab6" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 3bd9d06be..660e305cf 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 8419a7031..61ebdd432 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index aee04b9c9..e485a0017 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 7b0057029..07df799c0 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -21,7 +21,7 @@ references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/ risk_score = 73 rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index 0583442e0..beb058f25 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -23,7 +23,7 @@ references = ["https://www.exploit-db.com/papers/33930"] risk_score = 47 rule_id = "0b803267-74c5-444d-ae29-32b5db2d562a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id with maxspan=1s diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index 2aed3751a..8d867536e 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -24,7 +24,7 @@ references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/ risk_score = 21 rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 91d526783..2e54f5531 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -22,7 +22,7 @@ references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-t risk_score = 47 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index 168564678..859e2eff2 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -22,7 +22,7 @@ references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] risk_score = 47 rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 2643f8ef2..9257e3e25 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -24,7 +24,7 @@ references = ["https://github.com/nongiach/sudo_inject"] risk_score = 47 rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.session_leader.entity_id with maxspan=15s diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 44077b2c1..57caf1af5 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index 095cb86cc..9200aa588 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -23,7 +23,7 @@ references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/ risk_score = 47 rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 3ed437d91..2a0210272 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -25,7 +25,7 @@ references = ["https://securelist.com/calisto-trojan-for-macos/86543/"] risk_score = 73 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index d0002a983..2f68ef9e8 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index b075ed59f..7e10e9118 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index f1530bc54..cfe887826 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -26,7 +26,7 @@ references = ["https://ss64.com/osx/security.html"] risk_score = 73 rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 3c036ec21..6f350af4f 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 37df0cf25..acaa67ea4 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -32,7 +32,7 @@ references = [ risk_score = 73 rule_id = "9092cd6c-650f-4fa3-8a8a-28256c7489c9" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 2dd508c05..86e506f43 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 682ffaede..90aa793ac 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -21,7 +21,7 @@ references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monit risk_score = 47 rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] type = "threshold" query = ''' diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index f0cbe5205..3a2483579 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "38948d29-3d5d-42e3-8aec-be832aaaf8eb" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index b3c02ca10..d3f16ee7d 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -22,7 +22,7 @@ references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/so risk_score = 73 rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index e48eed32d..a498ceb70 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -22,7 +22,7 @@ references = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-mon risk_score = 47 rule_id = "f683dcdf-a018-4801-b066-193d4ae6c8e5" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index f9861b430..c493f283f 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 53fc4bea1..dd705ff47 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index e048367a2..d1be0b5b4 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -24,7 +24,7 @@ references = ["https://ss64.com/osx/security-cert.html"] risk_score = 47 rule_id = "bc1eeacf-2972-434f-b782-3a532b100d67" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 0ac2b0978..af4e45099 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index c2999880f..c026c8e63 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "eea82229-b002-470e-a9e1-00be38b14d32" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index d1668608e..9390c9475 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 1003829f5..e722f5ca1 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -22,7 +22,7 @@ references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"] risk_score = 47 rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 7e820e8d8..08c37707c 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -26,7 +26,7 @@ references = [ risk_score = 73 rule_id = "d22a85c6-d2ad-4cc4-bf7b-54787473669a" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 0c02a8bd4..96888761b 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -22,7 +22,7 @@ references = ["https://theevilbit.github.io/posts/cve_2020_9771/"] risk_score = 73 rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 8c5e8526d..caffb6e6c 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -17,7 +17,7 @@ name = "Attempt to Unload Elastic Endpoint Security Kernel Extension" risk_score = 73 rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index a8d17d37f..a41b23a07 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index c4f6aa3bb..687924cd0 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "35330ba2-c859-4c98-8b7f-c19159ea0e58" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 5ad017dd4..b013e97f9 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "080bc66a-5d56-4d1f-8071-817671716db9" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 55e5a464d..56de9dd69 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 2e36f553f..6956e6d65 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -22,7 +22,7 @@ references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 47 rule_id = "5d9f8cfc-0d03-443e-a167-2b0597ce0965" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 765c0bda1..b84c641ae 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "47f76567-d58a-4fed-b32b-21f571e28910" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 0da7b12eb..b99f1a4df 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 328f6d6b0..c6158ed73 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -22,7 +22,7 @@ references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office risk_score = 47 rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 442cc4df9..4f5a50209 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -21,7 +21,7 @@ references = ["https://github.com/its-a-feature/bifrost"] risk_score = 73 rule_id = "16904215-2c95-4ac8-bf5c-12354e047192" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index d2489265c..7752fee96 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -25,7 +25,7 @@ references = ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.c risk_score = 21 rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0" severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 73212d197..2dcc800fa 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 68dbbe65a..f0dd7b974 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "15dacaa0-5b90-466b-acab-63435a59701a" severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index b59b6d204..f99f1fb16 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -21,7 +21,7 @@ references = ["https://support.apple.com/en-us/HT203998"] risk_score = 47 rule_id = "41b638a1-8ab6-4f8e-86d9-466317ef2db5" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 195dc06dd..432c40592 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "082e3f8c-6f80-485c-91eb-5b112cb79b28" severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index f7005d673..a8ede731e 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 1aaa555bf..e783c1b41 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "9d19ece6-c20e-481a-90c5-ccca596537de" severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 19e371650..d5268486c 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 6575216f1..9150e79ed 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "530178da-92ea-43ce-94c2-8877a826783d" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index da5566d6d..9be4b4e1d 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "083fa162-e790-4d85-9aeb-4fea04188adb" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index ec48631d4..7f0bb3cd4 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -22,7 +22,7 @@ references = ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-a risk_score = 47 rule_id = "89fa6cb7-6b53-4de2-b604-648488841ab8" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 4f466670a..f503119a6 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "c81cefcb-82b9-4408-a533-3c3df549e62d" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 311f521ba..899249fd7 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index f678dba18..8fbc211d2 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -22,7 +22,7 @@ references = ["https://www.xorrior.com/emond-persistence/"] risk_score = 47 rule_id = "3e3d15c6-1509-479a-b125-21718372157e" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 98b4222b8..3ff0409b7 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -21,7 +21,7 @@ references = ["https://ss64.com/osx/dsenableroot.html"] risk_score = 47 rule_id = "cc2fd2d0-ba3a-4939-b87f-2901764ed036" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 1c03e3128..339b64e9d 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "092b068f-84ac-485d-8a55-7dd9e006715f" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 4fa2fbfe5..c04d0a66e 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index e31616cca..6f01f90af 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -22,7 +22,7 @@ references = ["https://posts.specterops.io/folder-actions-for-persistence-on-mac risk_score = 47 rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 91e6919b7..f90b818e5 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "5d0265bf-dea9-41a9-92ad-48a8dcd05080" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 31f409056..1f32cb376 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -24,7 +24,7 @@ references = ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript risk_score = 47 rule_id = "ac412404-57a5-476f-858f-4e8fbb4f48d8" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index e498dd359..2d26195a3 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -25,7 +25,7 @@ references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 21 rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a" severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index ff4a62c43..1d1e40a2c 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "48ec9452-e1fd-4513-a376-10a1a26d2c83" severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 94de6900c..3090eba49 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -38,7 +38,7 @@ references = [ risk_score = 47 rule_id = "48d7f54d-c29e-4430-93a9-9db6b5892270" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index ff6aea3e0..070432064 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "e6e8912f-283f-4d0d-8442-e0dcaf49944b" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 303856d73..806ab4506 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 2923b645c..927f599fa 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7" severity = "low" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 384565270..ab7895647 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -25,7 +25,7 @@ references = ["https://discussions.apple.com/thread/2266150"] risk_score = 47 rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index cf3cc7ee6..7a4a79d96 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 09346426e..f37c522e1 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -30,7 +30,8 @@ tags = [ "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", - "Use Case: Vulnerability" + "Use Case: Vulnerability", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 05f425c19..7a865b966 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -21,7 +21,7 @@ references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-ad risk_score = 47 rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 74431a892..dff3f810b 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "0ff84c42-873d-41a2-a4ed-08d74d352d01" severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index ccd118382..0f0e3021d 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index dd2bcaf6f..cb08ce0d6 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -70,7 +70,7 @@ references = [ risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 3dba39138..7f933702c 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -58,7 +58,7 @@ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-ba risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index bc46bfa7a..a30c10442 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -20,7 +20,7 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 2d83c3f1d..6645af86b 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -101,7 +101,7 @@ references = [ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 1022834c1..5ab6009b7 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -98,7 +98,7 @@ This rule looks for processes outside known legitimate program locations communi risk_score = 21 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index b302081a1..efecb7c2e 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -62,6 +62,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] type = "threshold" diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 6789abd78..b36e716f1 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 1dce0093a..348c740f9 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -22,7 +22,7 @@ name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index c707da5fc..f71f36778 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -21,7 +21,7 @@ references = ["https://attack.mitre.org/techniques/T1197/"] risk_score = 21 rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index bbc6e20ee..ec88be3ea 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -60,7 +60,7 @@ references = [ risk_score = 47 rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 68af4cd47..223fcd12c 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -76,6 +76,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index a7ed81962..51f99d833 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -67,6 +67,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 4b869245b..59c928434 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -113,6 +113,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 990ecb642..b9300b4cf 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -110,6 +110,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 9d38a56ff..6301f3c8a 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -95,7 +95,7 @@ PowerShell is one of system administrators' main tools for automation, report ro risk_score = 47 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 41161ea54..e929bb25b 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -96,7 +96,7 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 26121acc0..d81caeb92 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -99,7 +99,7 @@ references = [ risk_score = 73 rule_id = "22599847-5d13-48cb-8872-5796fee8692b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 5214a965d..19b665790 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -106,6 +106,7 @@ tags = [ "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 7bf052b05..c128f9b2c 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -66,6 +66,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 1440ac6e8..53332e46e 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index dcee402ee..0d482c031 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -100,7 +100,7 @@ This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 93ab814c5..6fb6503ee 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -32,7 +32,7 @@ references = [ risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 063094044..bc34a9e94 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -71,6 +71,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index efb36814b..77e7ed0ca 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 99f8e9aa1..dbf6baa69 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -26,7 +26,7 @@ references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of- risk_score = 73 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 623a27243..e983409d5 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 58dd75039..8ab21f984 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -108,7 +108,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 0b896eefc..791113daf 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 830cc02a9..c59aea7fa 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -110,6 +110,7 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index e8a8dce67..218eba17e 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -20,7 +20,7 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 679ff5180..08e5324ca 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -70,6 +70,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 781f0c335..f3cefe661 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -82,6 +82,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 69b40e2b0..7f7e06ef9 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -63,6 +63,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index ae5043c60..5e7a9982d 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index f423dbe68..8ed4a77c0 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index c494b0995..3383e7334 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -72,6 +72,7 @@ tags = [ "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index df3400fb4..a5995dc5b 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 8efbf9b2d..27144441b 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -94,6 +94,7 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index cd03e935c..b823fd517 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -96,6 +96,7 @@ tags = [ "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 269b02992..2e3f8f645 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -95,7 +95,7 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 53fc67704..7760b4a98 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -102,6 +102,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 0e9f887ac..5866c90e3 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -85,6 +85,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index d44784630..6bcb26103 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -67,6 +67,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index f821679b8..18023638b 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -63,6 +63,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index c79fd8ca2..f16b2f62d 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -88,7 +88,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 795aaaded..0e1bb8b63 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -88,7 +88,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 070f8a692..c97cfbea2 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -82,6 +82,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 76e310dde..1e35df61a 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -69,6 +69,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 319358914..c7fca7156 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -81,6 +81,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index c7665c333..2a30c5176 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -52,7 +52,7 @@ Consider using the Elastic Defend integration instead of USN Journal, as the Ela risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 8c0798a9d..8aa170a3d 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -70,6 +70,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 499962cff..566e8931b 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -61,6 +61,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 944265338..c7f57e82e 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -69,6 +69,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 8850d6e96..f7c000537 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -66,6 +66,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 3b18c1175..cdd2c77a2 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 1e9b3e226..8a41f8898 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 1e5a409d5..dbaf9f9fa 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -67,6 +67,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index f033341ec..153a80b30 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -63,6 +63,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 59e3460c3..3beaffd08 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -25,7 +25,7 @@ references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 7ba7ae5f5..d2d7937ff 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -25,7 +25,7 @@ references = ["https://dtm.uk/wuauclt/"] risk_score = 47 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 3fef0a241..68ece95a1 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -88,6 +88,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index c8b1079b0..7de464722 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 9042922bb..0c6c03912 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 03390cbdc..3e512129e 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -108,6 +108,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 2862acb3d..86fcdc731 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -31,7 +31,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index c84764a31..414fc58c5 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 03cfc6bf8..dce462621 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 66660e2d0..b661bcc2e 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 3922f5c1b..4aa169d97 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index ca32d0129..4b157e6c1 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -20,7 +20,7 @@ name = "Encoded Executable Stored in the Registry" risk_score = 47 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index a20a4ca08..11ea3faaf 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -59,7 +59,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 845252357..9b524cd63 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -20,7 +20,7 @@ name = "InstallUtil Process Making Network Connections" risk_score = 47 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index d99a3d7ee..f574bbc77 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 10571c4bc..78f90e748 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -107,6 +107,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 9e5ec9cb1..e890786bb 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index c466f17c0..d7441c5ea 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index bf00e9012..37bc0e9d8 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -103,7 +103,7 @@ references = [ risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 7d576a39c..a2abaed01 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -72,7 +72,7 @@ references = [ risk_score = 47 rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 437e9120a..d0b6fe2f8 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -100,7 +100,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index d61278529..a190c6bca 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -18,7 +18,7 @@ name = "MsBuild Network Connection Sequence" risk_score = 47 rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index e8a338fc6..bb31c6176 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -100,7 +100,7 @@ This rule looks for the `Msbuild.exe` utility execution, followed by a network c risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 90b277935..6e17e37bf 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -20,7 +20,7 @@ name = "Mshta Making Network Connections" risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 49a15debb..ffce1df2d 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -18,7 +18,7 @@ name = "MsXsl Making Network Connections" risk_score = 47 rule_id = "870d1753-1078-403e-92d4-735f142edcca" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 43b0df677..173b4595b 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index a3dbb4de1..1cdc5e564 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -100,7 +100,7 @@ This rule identifies network connections established by trusted developer utilit risk_score = 47 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 747a04f75..3174bda50 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -21,7 +21,7 @@ references = ["https://blog.didierstevens.com/2017/03/20/"] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 217f09bb0..b42d3a944 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -33,6 +33,7 @@ tags = [ "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index d9593729b..025a5e6de 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -21,7 +21,7 @@ references = ["https://github.com/jxy-s/herpaderping"] risk_score = 73 rule_id = "ccc55af4-9882-4c67-87b4-449a7ae8079c" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 6bfbb88e3..311ae1508 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -77,6 +77,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 94e9b6a02..92101aef0 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -95,7 +95,7 @@ This rule identifies an unsigned process termination event quickly followed by t risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 2edf1cc96..06edc6771 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index d54b61439..a1d191621 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -21,7 +21,7 @@ name = "Unusual Child Processes of RunDLL32" risk_score = 73 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index dda08a658..153c1472b 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -26,7 +26,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32 risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 354ce45bf..771bce007 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -52,7 +52,7 @@ This rule identifies file name patterns generated by the use of SDelete utility risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 401a3062b..3fb0dab53 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -22,7 +22,7 @@ references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 91415195d..3c6640ade 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "b9960fef-82c6-4816-befa-44745030e917" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index b75115273..94d27818b 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -102,7 +102,7 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 54fca638d..d847c63aa 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index c72c8d718..312e75f48 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -21,7 +21,7 @@ references = ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-c risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 7d1652cb9..ed257d4d9 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -20,7 +20,7 @@ name = "Suspicious Script Object Execution" risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index fbac450af..7f71c0eef 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -92,7 +92,7 @@ Identifies the execution of a process with a single character process name, diff risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 349cfee4e..5fdac9e42 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -20,7 +20,7 @@ name = "Suspicious WMIC XSL Script Execution" risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 931175003..2406aaa28 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -97,7 +97,7 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index b929a53c2..f9fa390e8 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -107,6 +107,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 5e9636906..4409d1b61 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index 6bba8a316..8bc2df3e6 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -95,7 +95,7 @@ references = [ risk_score = 73 rule_id = "d8ab1ec1-feeb-48b9-89e7-c12e189448aa" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index e42ba6549..23803b6f5 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -106,7 +106,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 105a585f6..d652d66f0 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 78d592248..5b1903fb2 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index e84bb608e..959d63f3e 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -56,7 +56,7 @@ references = [ risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index a306d59ba..7d2ecd997 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -47,7 +47,7 @@ This rule identifies network activity from unexpected system utilities and appli risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index e7535d623..6505482cc 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index c56e1fe1b..95872150a 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -97,7 +97,7 @@ This rule identifies the attempt to unload a minifilter using the `fltmc.exe` co risk_score = 47 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index fc41e3cc4..61f2a435f 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index d8e8621f1..dd8781f18 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -21,7 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index ac0561287..c4bcc8e27 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -21,7 +21,7 @@ references = ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux risk_score = 47 rule_id = "e2e0537d-7d8f-4910-a11d-559bcf61295a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index 09f62af42..2eedc3f7f 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -21,7 +21,7 @@ references = ["https://github.com/microsoft/WSL"] risk_score = 47 rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 5450c0714..4fa4ca573 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -21,7 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index 7a2a476fc..0421ac56f 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -21,7 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "a1699af0-8e1e-4ed0-8ec1-89783538a061" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index a987032b6..94fc037d5 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -68,7 +68,7 @@ references = [ risk_score = 21 rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 60c2c8b2e..309acb7d0 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -56,7 +56,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 2c3d39a42..276c86291 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -53,7 +53,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index 65f595a8f..8882470a0 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -59,7 +59,7 @@ references = [ risk_score = 21 rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 322aedf8f..7b337ff65 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml index 557738694..680fcfcf0 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -50,7 +50,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 4202ab5a9..2fdec6fc9 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -21,7 +21,7 @@ name = "Group Policy Discovery via Microsoft GPResult Utility" risk_score = 21 rule_id = "94a401ba-4fa2-455c-b7ae-b6e037afc0b7" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index f0b74e70f..f79ecd709 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -49,7 +49,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 4ca4f7e0e..e36832140 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -53,7 +53,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index b75db165e..d3d963d15 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index cd4060307..90c6d2c99 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -49,7 +49,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index bcc10fd12..8e3377602 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -52,7 +52,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 69297a080..1e9af9b78 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -20,7 +20,7 @@ name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_system_time_discovery.toml index fecb139e6..a340cb45f 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules/windows/discovery_system_time_discovery.toml @@ -19,7 +19,7 @@ name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 276f133d3..dcccd0c20 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -62,7 +62,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index e347d508b..7f0913897 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 49fbfea33..bf4cc721f 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 7064a300e..d1cd2a58d 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index afb1e0efe..faf59b442 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -106,7 +106,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 50c77ac42..de9784d6e 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -100,7 +100,7 @@ references = [ risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 951b91f38..fd0b008d3 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 5807d3930..8f63f159e 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -22,7 +22,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 7682cc2bf..87e2411f5 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -19,7 +19,7 @@ name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 943e9914b..603baeac0 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -19,7 +19,7 @@ name = "Downloaded URL Files" risk_score = 47 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 3aeed2751..ef6f9c1b7 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 3e16bf3f7..d2ef500f5 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -109,6 +109,7 @@ tags = [ "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 64a390162..59baab035 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -108,7 +108,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 048002fdb..581098701 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -68,7 +68,7 @@ This rule searches for executable files written by MS Office applications execut risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 133859562..4fdcedfbf 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -68,7 +68,7 @@ This rule searches for executable files written by PDF reader software and execu risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 2085e8964..f1ff0df28 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -58,7 +58,7 @@ This rule identifies PsExec execution by looking for the creation of `PsExec.exe risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 07d8f6c42..7859246f9 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -105,7 +105,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index f74f75473..e0354c190 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 9e690dcc3..79c5f8334 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link- risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index c3f040f2f..200bd74c1 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index c2e6e5b59..a363a06e7 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 3b35a3e3f..6513bafd4 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -72,7 +72,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index fd2f5b7eb..31d26f7e6 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -63,7 +63,7 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index d34a7de7a..9d558f377 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -55,7 +55,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 32543af2f..2917eaf49 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -115,7 +115,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 5e43ac1fd..73662fe38 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -75,7 +75,7 @@ references = [ risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index bd174943b..a337f558c 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -67,7 +67,7 @@ references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti- risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 14e0c4335..2891f1b5f 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 894be7700..f9559a9af 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 2b1d5103d..31206e868 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -52,7 +52,7 @@ references = ["https://www.elastic.co/security-labs/luna-ransomware-attack-patte risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "threshold" query = ''' diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index fa74cfb04..020a629a9 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -82,7 +82,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 8f978b0b3..8f26fbd35 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -86,7 +86,7 @@ references = [ risk_score = 73 rule_id = "d99a037b-c8e2-47a5-97b9-170d076827c4" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 868b5dc75..2c2d66f71 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -82,7 +82,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 593740e97..ffbb3aa72 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index c2b767203..0ad8c3bc8 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml index a6169681a..9087edbed 100644 --- a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -24,7 +24,7 @@ references = [ "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" ] -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index e44bf3d2d..2d99fa24f 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -74,7 +74,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 590ef9fc9..d4ae9b815 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -20,7 +20,7 @@ name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index befdaaba6..b182c3798 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -48,7 +48,7 @@ references = [ risk_score = 47 rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 59d371039..55f3ebb97 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index cc0e80704..d82babd8e 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 8eae8766e..c3fe64e47 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -73,7 +73,7 @@ references = ["https://www.elastic.co/blog/vulnerability-summary-follina"] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 839125aaf..74eecceb3 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 5f9462ea9..4318c3153 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -73,7 +73,7 @@ references = [ risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 72b9b645e..6d3ec3940 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -36,7 +36,7 @@ references = [ risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 97d647c83..5480ac86f 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 5efcbdf06..abb73fc0e 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -20,7 +20,7 @@ name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index b6a4cc22c..99cdd4e29 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -22,7 +22,7 @@ references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] risk_score = 73 rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 74b5afec7..fb5bcd72d 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -22,7 +22,7 @@ references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20 risk_score = 73 rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index bd3c0634a..175349e81 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -22,7 +22,7 @@ references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round- risk_score = 47 rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index d86aa81ab..cc750c16e 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index f6ea9a8d2..776590723 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -97,7 +97,7 @@ This rule looks for unexpected processes making network connections over port 44 risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index fa4046e8e..de21c911e 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index ac3324aa0..30457f6d7 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -61,7 +61,7 @@ Adversaries can use network shares to host tooling to support the compromise of risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 804b0e6f5..c3a97f752 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -25,7 +25,7 @@ references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-mov risk_score = 73 rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 6773aaea7..d5b91b1fd 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -95,7 +95,7 @@ references = ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-move risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 765db0a9c..857e0fd44 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -26,7 +26,7 @@ name = "Incoming Execution via WinRM Remote Shell" risk_score = 47 rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index ee7c372a2..d501b1180 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -20,7 +20,7 @@ name = "WMI Incoming Lateral Movement" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index fe33a54b3..a37040210 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index e9689c083..7cb9e6151 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 6f5722345..0dc72a734 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -60,7 +60,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index fc4022304..c76653e20 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 617986432..566d47df4 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 7e649e51f..ef8fb7f7d 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -103,7 +103,7 @@ references = [ risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 78e101722..57fd6f640 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -45,7 +45,7 @@ note = """## Triage and analysis risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 072272e2a..07464fa4d 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -25,7 +25,7 @@ references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-mov risk_score = 47 rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 2882ebdb3..7f65fc181 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -25,7 +25,7 @@ references = ["https://www.mdsec.co.uk/2017/06/rdpinception/"] risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index e721d59f5..828e74cc4 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -98,7 +98,7 @@ references = ["https://twitter.com/pabraeken/status/997997818362155008"] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index d20fcac8b..e122cf254 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -20,7 +20,7 @@ name = "Installation of Custom Shim Databases" risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index bb40701c4..63831c0c0 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index e5fc6ed37..3ced40804 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -114,7 +114,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_driver_newterm_imphash.toml b/rules/windows/persistence_driver_newterm_imphash.toml index 88ece7e00..e054c70ba 100644 --- a/rules/windows/persistence_driver_newterm_imphash.toml +++ b/rules/windows/persistence_driver_newterm_imphash.toml @@ -97,7 +97,7 @@ references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-drive risk_score = 47 rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 329215cab..5040e8330 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -56,7 +56,7 @@ references = [ risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 12b2965d0..69d549c7f 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index c5342f202..38c69281e 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -98,7 +98,7 @@ Techniques used within malware and by adversaries often leverage the Windows reg risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 2ad215067..43f70f536 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index a844966a9..04cdb1a2e 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 3ca4482b6..fb865387c 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 62615df12..500eedba5 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -24,7 +24,7 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 3daa7cb0e..841cbf3ff 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -22,7 +22,7 @@ references = ["https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-of risk_score = 73 rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 213db3a03..1d886778b 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 41375f9de..fb9abc810 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 2b2a5795b..cd0b863d9 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 1bb39e002..db097fd73 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -107,7 +107,7 @@ references = ["https://www.elastic.co/blog/practical-security-engineering-statef risk_score = 73 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 0a99ab034..1f981bea1 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -21,7 +21,7 @@ references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=27620 risk_score = 47 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 62c89c7e4..54a2e3e1c 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -103,7 +103,7 @@ Adversaries may achieve persistence by referencing a program with a registry run risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index b85d07a3f..f3f05fcbd 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -20,7 +20,7 @@ name = "Execution of Persistent Suspicious Program" risk_score = 47 rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index cbbc1a170..b804a3f1d 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -20,7 +20,7 @@ name = "Unsigned DLL Loaded by Svchost" risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index bf40f7b56..944b61097 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -21,7 +21,7 @@ name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 57601c31d..7c0ea75e9 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -107,7 +107,7 @@ references = ["https://www.elastic.co/security-labs/hunting-for-persistence-usin risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index c93e826ce..6f17aeffa 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -102,7 +102,7 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index c3276a1cb..b7e0207ac 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -106,7 +106,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "f7c4dc5a-a58d-491d-9f14-9b66507121c0" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 8e1675084..7c674e40b 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -69,7 +69,7 @@ references = [ risk_score = 47 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 01350c04d..2fc8a1533 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -30,7 +30,7 @@ references = [ risk_score = 21 rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 311623f48..254b888a7 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -22,7 +22,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index fd735248b..3974595f2 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -20,7 +20,7 @@ name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 0bf2c8c09..2efaab779 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -81,7 +81,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 11af0e1ff..d49142aa7 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -23,7 +23,7 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 0d51dc93a..fa0be4e1a 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -57,7 +57,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 50a2b8b2d..ca066c009 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 651c9b3be..ac30e82fe 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index ed63e3fa3..b446c1dcc 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 7dafe2a26..298e218f7 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 7ef92b357..d52f34326 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index fdfbdd3e7..4be06e372 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -103,7 +103,7 @@ references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 9b231cf8f..6421c8075 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -26,7 +26,7 @@ references = ["https://www.elastic.co/security-labs/hunting-for-persistence-usin risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 0c0f4732a..c5babdfcd 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index d7a5da067..bf7945e96 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -58,7 +58,7 @@ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 8cc385eae..f4b4e59f2 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -75,7 +75,7 @@ references = [ risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 5f68e0bb8..0c2443a2f 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -78,7 +78,7 @@ references = [ risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index a6e5b9083..a19faf24b 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -106,7 +106,7 @@ references = ["https://github.com/klinix5/InstallerFileTakeOver"] risk_score = 73 rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 2b714a6d5..44305de0b 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -21,7 +21,7 @@ name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 597948a7b..f9c96d7cc 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -112,6 +112,7 @@ tags = [ "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 7b442a332..8584c18b3 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -80,7 +80,8 @@ tags = [ "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", - "Data Source: Elastic Endgame" + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 62d89d546..3eec687db 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -22,7 +22,7 @@ references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-gro risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 2e92c1b2d..3db123198 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -26,7 +26,7 @@ references = [ risk_score = 73 rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 7050d5f10..58cf0f454 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 99625086e..8421af4c2 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -31,7 +31,7 @@ references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34 risk_score = 47 rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index c6326b664..0902763f8 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -104,7 +104,7 @@ references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-a risk_score = 73 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 4b57ed5e2..f7d0f4f5f 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -21,7 +21,7 @@ references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variable risk_score = 73 rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 9c4132221..401d9f403 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -80,7 +80,7 @@ The `sc.exe` command line utility is used to manage and control Windows services risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 5e057dd43..c96350245 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -25,7 +25,7 @@ references = ["https://github.com/hfiref0x/UACME"] risk_score = 73 rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 61e2acccf..1461ff449 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -25,7 +25,7 @@ references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comaut risk_score = 47 rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 8e217b215..30d80950e 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 9f73441e4..8905231cf 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index a90bec5c8..62990a8da 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 7738c61ca..a2bd79e87 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -104,7 +104,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 81f6596aa..373f0afff 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -104,7 +104,7 @@ references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted risk_score = 73 rule_id = "290aca65-e94d-403b-ba0f-62f320e63f51" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 711f8ae58..1e27cd45f 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -104,7 +104,7 @@ references = ["https://github.com/AzAgarampur/byeintegrity-uac"] risk_score = 47 rule_id = "1178ae09-5aff-460a-9f2f-455cd0ac4d8e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index eb2be634c..98ad29923 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -18,7 +18,7 @@ name = "Bypass UAC via Sdclt" risk_score = 73 rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 29dd0c8d6..f5f5a673b 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -104,7 +104,7 @@ references = [ risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index c2ae801ff..d8958776a 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -31,7 +31,7 @@ references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34 risk_score = 47 rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 6b7cede3e..35b082e58 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index 4d4138c3b..b894b3e11 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -26,7 +26,7 @@ references = [ risk_score = 73 rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index e3d6a5e89..46a53aaf0 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 8817e2add..0e2e35bd1 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -19,7 +19,7 @@ name = "WPAD Service Exploit" risk_score = 73 rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml index 5ed6aafcb..9d733b357 100644 --- a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml +++ b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml @@ -22,7 +22,7 @@ name = "Potential Suspicious Clipboard Activity Detected" risk_score = 21 rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend"] type = "new_terms" building_block_type = "default" query = ''' diff --git a/rules_building_block/command_and_control_non_standard_http_port.toml b/rules_building_block/command_and_control_non_standard_http_port.toml index a08073451..72414c1af 100644 --- a/rules_building_block/command_and_control_non_standard_http_port.toml +++ b/rules_building_block/command_and_control_non_standard_http_port.toml @@ -24,7 +24,7 @@ name = "Potential Non-Standard Port HTTP/HTTPS connection" risk_score = 21 rule_id = "62b68eb2-1e47-4da7-85b6-8f478db5b272" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml index ec9244b93..fc4249ec2 100644 --- a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml @@ -22,7 +22,7 @@ name = "Hidden Files and Directories via Hidden Flag" risk_score = 21 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 775d0428e..f7910eb50 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -22,7 +22,7 @@ name = "Unsigned DLL Loaded by a Trusted Process" risk_score = 21 rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -31,9 +31,9 @@ query = ''' library where host.os.type == "windows" and (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500 or - dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and - process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and - /* DLL loaded from the process.executable current directory */ + dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and + process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and + /* DLL loaded from the process.executable current directory */ endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1))) and not user.id : "S-1-5-18" ''' diff --git a/rules_building_block/defense_evasion_file_permission_modification.toml b/rules_building_block/defense_evasion_file_permission_modification.toml index a31055733..97a935470 100644 --- a/rules_building_block/defense_evasion_file_permission_modification.toml +++ b/rules_building_block/defense_evasion_file_permission_modification.toml @@ -21,7 +21,7 @@ name = "File and Directory Permissions Modification" risk_score = 21 rule_id = "bc9e4f5a-e263-4213-a2ac-1edf9b417ada" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index dbe5e6cf7..90358c511 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -21,7 +21,7 @@ name = "File or Directory Deletion Command" risk_score = 21 rule_id = "5919988c-29e1-4908-83aa-1f087a838f63" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/defense_evasion_masquerading_communication_apps.toml b/rules_building_block/defense_evasion_masquerading_communication_apps.toml index 78f7133ac..12910048e 100644 --- a/rules_building_block/defense_evasion_masquerading_communication_apps.toml +++ b/rules_building_block/defense_evasion_masquerading_communication_apps.toml @@ -21,7 +21,7 @@ name = "Potential Masquerading as Communication Apps" risk_score = 21 rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml index 31856fb93..7db55da31 100644 --- a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml +++ b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml @@ -10,7 +10,7 @@ updated_date = "2023/08/24" author = ["Elastic"] building_block_type = "default" description = """ -Identify instances where adversaries include trailing space characters to mimic regular files, disguising their +Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms. """ from = "now-119m" @@ -22,7 +22,7 @@ name = "Processes with Trailing Spaces" risk_score = 21 rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index a7e1aab50..30188909c 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -21,7 +21,7 @@ name = "Windows Account or Group Discovery" risk_score = 21 rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index bdeade136..fc1b1cb28 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -21,7 +21,7 @@ name = "Process Discovery Using Built-in Tools" risk_score = 21 rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index d98c6e1a1..8eb94c19d 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -21,7 +21,7 @@ name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index 361bbae9f..cfb7de97c 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -22,7 +22,7 @@ name = "System Hosts File Access" risk_score = 21 rule_id = "f75f65cf-ed04-48df-a7ff-b02a8bfe636e" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 187003d3e..9bc90cdf6 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -22,7 +22,7 @@ name = "Discovery of Internet Capabilities via Built-in Tools" risk_score = 21 rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml index 11c644037..ae859ad87 100644 --- a/rules_building_block/discovery_linux_system_information_discovery.toml +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -19,7 +19,7 @@ name = "Linux System Information Discovery" risk_score = 21 rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index 02dec413a..e330ef3ab 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -19,7 +19,7 @@ name = "System Owner/User Discovery Linux" risk_score = 21 rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml index 2aa35a66b..2f31fc519 100644 --- a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml +++ b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml @@ -21,7 +21,7 @@ name = "Account or Group Discovery via Built-In Tools" risk_score = 21 rule_id = "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index 9ab6598e7..a0a019766 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -21,7 +21,7 @@ name = "Discovery of Domain Groups" risk_score = 21 rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index d78e68709..59386a5c1 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -19,7 +19,7 @@ name = "Process Discovery via Built-In Applications" risk_score = 21 rule_id = "3f4d7734-2151-4481-b394-09d7c6c91f75" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index cbf2ca34e..fe33ff968 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -19,7 +19,7 @@ name = "System Network Connections Discovery" risk_score = 21 rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 87734b166..071b80bc8 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -21,7 +21,7 @@ name = "Windows System Network Connections Discovery" risk_score = 21 rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 8d26799e6..d5c4eb011 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -21,7 +21,7 @@ name = "Windows System Information Discovery" risk_score = 21 rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index 0a75e023e..6c29b7ca4 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -21,7 +21,7 @@ name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/rules_building_block/persistence_creation_of_kernel_module.toml b/rules_building_block/persistence_creation_of_kernel_module.toml index 12f9e84a5..64b662db0 100644 --- a/rules_building_block/persistence_creation_of_kernel_module.toml +++ b/rules_building_block/persistence_creation_of_kernel_module.toml @@ -21,7 +21,7 @@ name = "Creation of Kernel Module" risk_score = 21 rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/persistence_suspicious_file_opened_through_editor.toml b/rules_building_block/persistence_suspicious_file_opened_through_editor.toml index dfb52bf3c..c34019245 100644 --- a/rules_building_block/persistence_suspicious_file_opened_through_editor.toml +++ b/rules_building_block/persistence_suspicious_file_opened_through_editor.toml @@ -24,7 +24,7 @@ name = "Potential Suspicious File Edit" risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" diff --git a/rules_building_block/privilege_escalation_expired_driver_loaded.toml b/rules_building_block/privilege_escalation_expired_driver_loaded.toml index 271e36c38..43dbc5668 100644 --- a/rules_building_block/privilege_escalation_expired_driver_loaded.toml +++ b/rules_building_block/privilege_escalation_expired_driver_loaded.toml @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" diff --git a/rules_building_block/privilege_escalation_trap_execution.toml b/rules_building_block/privilege_escalation_trap_execution.toml index 19e7ea0ed..3a47f22cf 100644 --- a/rules_building_block/privilege_escalation_trap_execution.toml +++ b/rules_building_block/privilege_escalation_trap_execution.toml @@ -22,7 +22,7 @@ name = "Trap Signals Execution" risk_score = 21 rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/privilege_escalation_unquoted_service_path.toml b/rules_building_block/privilege_escalation_unquoted_service_path.toml index d530c3f64..593047457 100644 --- a/rules_building_block/privilege_escalation_unquoted_service_path.toml +++ b/rules_building_block/privilege_escalation_unquoted_service_path.toml @@ -22,7 +22,7 @@ name = "Potential Exploitation of an Unquoted Service Path Vulnerability" risk_score = 21 rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index f99192d00..6e56a91c8 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -265,7 +265,7 @@ class TestRuleTags(BaseRuleTest): """Test that expected tags are present within rules.""" required_tags_map = { - 'logs-endpoint.events.*': {'all': ['Domain: Endpoint']}, + 'logs-endpoint.events.*': {'all': ['Domain: Endpoint', 'Data Source: Elastic Defend']}, 'endgame-*': {'all': ['Data Source: Elastic Endgame']}, 'logs-aws*': {'all': ['Data Source: AWS', 'Data Source: Amazon Web Services', 'Domain: Cloud']}, 'logs-azure*': {'all': ['Data Source: Azure', 'Domain: Cloud']},